diff options
| author | tunturn <arbiter1000@gmail.com> | 2017-03-09 12:36:22 +1100 |
|---|---|---|
| committer | Max Weffers <rcstar6696@gmail.com> | 2017-03-14 13:19:58 +0100 |
| commit | bda77e8b2f5266a03031a294af96876c4410ea6e (patch) | |
| tree | 68cada46cc2aae1031d12394ad1c18161ace6e66 | |
| parent | 0fb1a17dca83816d614ecc4bcf466b559c8e9d09 (diff) | |
sepolicy: changes for bluetooth denials
Change-Id: I2ca85cd2c555b74f8de63c05e1e6dd2cc292dac9
| -rw-r--r-- | sepolicy/file.te | 4 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 3 | ||||
| -rw-r--r-- | sepolicy/init.te | 5 | ||||
| -rw-r--r-- | sepolicy/te_macros | 9 | ||||
| -rw-r--r-- | sepolicy/uim.te | 13 |
5 files changed, 33 insertions, 1 deletions
diff --git a/sepolicy/file.te b/sepolicy/file.te index 3b612b6..da08fbe 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -6,3 +6,7 @@ type secd_data_file, file_type; # idd type iddd_file, file_type, data_file_type; + +# BRCM BT FM +type brcm_ldisc_sysfs, sysfs_type, fs_type; +type brcm_uim_exec, exec_type, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index f4f6c13..3c1a1d8 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -36,7 +36,8 @@ /system/bin/wvkbd u:object_r:wv_exec:s0 - +# Bluetooth +/system/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 ########### #credmgrd diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..dd6d281 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,5 @@ +#FM BCM +allow init hci_attach_dev:chr_file rw_file_perms; +allow init brcm_uim_exec:file { execute getattr read open }; +allow init brcm_ldisc_sysfs:lnk_file { read }; +allow init uim:process { siginh noatsecure transition rlimitinh }; diff --git a/sepolicy/te_macros b/sepolicy/te_macros new file mode 100644 index 0000000..136d928 --- /dev/null +++ b/sepolicy/te_macros @@ -0,0 +1,9 @@ +# rw_dir_file(domain, type) +# Allow the specified domain to read and write directories, files +# and symbolic links of the specified type. +define(`rw_dir_file', ` +allow $1 $2:dir rw_dir_perms; +allow $1 $2:{ file lnk_file } rw_file_perms; +') + + diff --git a/sepolicy/uim.te b/sepolicy/uim.te new file mode 100644 index 0000000..1a38892 --- /dev/null +++ b/sepolicy/uim.te @@ -0,0 +1,13 @@ +type uim, domain; + +rw_dir_file(uim, sysfs) +rw_dir_file(uim, brcm_ldisc_sysfs) +rw_dir_file(uim, bluetooth_data_file) +rw_dir_file(uim, sysfs_bluetooth_writable) +allow uim brcm_uim_exec:file { entrypoint getattr read execute }; +allow uim hci_attach_dev:chr_file { read write ioctl open }; +allow uim self:capability { net_admin dac_override }; +allow uim rootfs:lnk_file getattr; +allow uim ta_data_file:dir search; +allow uim bluetooth_prop:sock_file write; +allow uim ta_data_file:file r_file_perms; |